b"Audit Report\n\n\n\n\nOIG-09-018\nManagement Letter for Fiscal Year 2008 Audit of the\nFinancial Management Service\xe2\x80\x99s Schedule of Non-Entity Assets,\nNon-Entity Costs and Custodial Revenue\n\nDecember 18, 2008\n\n\n\nOffice of\nInspector General\nDEPARTMENT OF THE TREASURY\nThis report has been reviewed for public dissemination by the Office of Counsel\nto the Inspector General. Information requiring protection from public\ndissemination has been redacted from this report in accordance with the\nFreedom of Information Act, 5 U.S.C. Section 552.\n\x0c                                      DEPARTMENT OF THE TREASURY\n                                            W ASHINGTON, D.C. 20220\n\n\n\n\n     OFFICE OF\nINSPECTOR GE NER AL\n                                             December 18, 2008\n\n\n             MEMORANDUM FOR JUDITH R. TILLMAN, COMMISSIONER\n                            FINANCIAL MANAGEMENT SERVICE\n\n             FROM:                 Michael Fitzgerald /s/\n                                   Director, Financial Audits\n\n             SUBJECT:              Management Letter for Fiscal Year 2008 Audit of the\n                                   Financial Management Service\xe2\x80\x99s Schedule of Non-Entity\n                                   Assets, Non-Entity Costs and Custodial Revenue\n\n\n             I am pleased to transmit the attached management letter in connection with the\n             audit of the Financial Management Service\xe2\x80\x99s (FMS) Fiscal Year (FY) 2008 Schedule\n             of Non-Entity Assets, Non-Entity Costs and Custodial Revenue. Under a contract\n             monitored by the Office of Inspector General, KPMG LLP, an independent certified\n             public accounting firm, performed an audit of FMS\xe2\x80\x99s Schedule of Non-Entity\n             Assets, Non-Entity Costs and Custodial Revenue for FY 2008. The contract\n             required that the audit be performed in accordance with generally accepted\n             government auditing standards; applicable provisions of Office of Management and\n             Budget Bulletin No. 07-04, Audit Requirements for Federal Financial Statements;\n             and the GAO/PCIE Financial Audit Manual.\n\n             As part of its audit, KPMG LLP issued and is responsible for the accompanying\n             management letter that discusses certain matters involving internal control and\n             other operational matters that were identified during the audit but were not\n             required to be included in the auditors\xe2\x80\x99 reports.\n\n             This letter contains sensitive information about FMS\xe2\x80\x99s information technology\n             policies and practices, such as thresholds and tolerances, which requires protection\n             from public dissemination. This information was redacted in our report for public\n             dissemination in accordance with Exemption 2 of the Freedom of Information Act,\n             5 USC \xc2\xa7 552(b)(2). Recipients of this letter should not show or release its contents\n             for purposes other than official review to prevent publication or other improper\n             disclosure of the information it contains.\n\x0cPage 2\n\nIn connection with the contract, we reviewed KPMG LLP\xe2\x80\x99s letter and related\ndocumentation and inquired of its representatives. Our review disclosed no\ninstances where KPMG LLP did not comply, in all material respects, with generally\naccepted government auditing standards.\n\nShould you have any questions, please contact me at (202) 927-5789, or a\nmember of your staff may contact Mark S. Levitt, Manager, Financial Audits at\n(202) 927-5076.\n\nAttachment\n\ncc:   Kenneth E. Carfine\n      Fiscal Assistant Secretary\n\x0cU.S. DEPARTMENT OF THE TREASURY\nFINANCIAL MANAGEMENT SERVICE\n         FISCAL YEAR 2008\n      Treasury Managed Accounts\n\n         Management Letter (REDACTED VERSION)\n\n         November 17, 2008\n\x0c                            U.S. DEPARTMENT OF THE TREASURY\n                                     Treasury Managed Accounts\n                                          Fiscal Year 2008\n                                         Management Letter\n\n\n\n                                          Table of Contents\n\n                                                                                     Page\n\nTransmittal Letter                                                                      1\n\nExhibit I \xe2\x80\x93 Current Year Comments and Recommendations:\n       1. Miscalculation of a Foreign Currency Payment in the Judgment Fund,\n              Contract Disputes Accounts Receivable Balances                            2\n      2. Non-Compliance with Billing Letter Requirements Contained in the Contract\n             Disputes Act and No FEAR Act                                               3\n      3. FASDAS AIX Operating System Password Age Not in Compliance\n            with the AIX Security Standards Manual                                      6\nExhibit II \xe2\x80\x93 Status of Prior Year Comments and Recommendations                          7\n\x0c                                KPMG LLP\n                                2001 M Street, NW\n                                Washington, DC 20036\n\n\n\n\nNovember 17, 2008\n\nInspector General, U.S. Department of the Treasury and\nCommissioner of the Financial Management Service:\n\nWe have audited the Schedule of Non-Entity Assets as of September 30, 2008 and Non-Entity Costs and\nCustodial Revenue (collectively, Treasury Managed Accounts (TMA)) for the year then ended (hereinafter\nreferred to as the \xe2\x80\x9cSchedule\xe2\x80\x9d) of the U.S. Department of the Treasury\xe2\x80\x99s Financial Management Service\n(FMS), and have issued our report thereon dated November 17, 2008. The Schedule as of September 30,\n2007 was audited by other auditors whose report thereon dated November 8, 2007, expressed an\nunqualified opinion on that Schedule. In planning and performing our audit of FMS\xe2\x80\x99s Schedule, in\naccordance with auditing standards generally accepted in the United States of America, we considered\ninternal control over financial reporting (internal control) as a basis for designing our auditing procedures\nfor the purpose of expressing our opinion on the Schedule and not for the purpose of expressing an opinion\non the effectiveness of FMS\xe2\x80\x99s internal control relating to TMA. Accordingly, we do not express an opinion\non the effectiveness of FMS\xe2\x80\x99s internal control relating to TMA. We have not considered internal control\nsince the date of our report.\n\n\nDuring our audit we noted certain matters involving internal control and other operational matters that we\npresent for your consideration. These comments and recommendations, all of which have been discussed\nwith the appropriate members of management, are intended to improve internal control or result in other\noperating efficiencies and are summarized in Exhibit I (Current Year Comments and Recommendations)\nand Exhibit II (Status of Prior Year Comments and Recommendations).\n\nWe noted other matters involving internal control and its operation relating to information technology\ngeneral controls that could affect the data used to prepare FMS\xe2\x80\x99s Schedule. These matters are detailed in a\nseparate management letter issued in conjunction with the FY2008 audit of FMS\xe2\x80\x99s Schedule of Non-Entity\nGovernment-wide Cash, the title of which is \xe2\x80\x9cUser System Access is not being removed in a timely manner\nupon separation of employment from FMS\xe2\x80\x9d.\n\nOur audit procedures are designed primarily to enable us to form an opinion on the Schedule described\nabove, and therefore may not bring to light all deficiencies in policies, procedures, or internal control that\nmay exist. We aim, however, to use our knowledge of FMS relating to TMA gained during our work to\nmake comments and suggestions that we hope will be useful to you. We would be pleased to discuss these\ncomments and recommendations with you at any time.\n\nFMS\xe2\x80\x99s responses to our comments and recommendations have not been subjected to the auditing\nprocedures applied in the audit of the Schedule and, accordingly, we express no opinion on them.\n\nThis communication is intended solely for the information and use of FMS management, the U.S.\nDepartment of the Treasury\xe2\x80\x99s Office of Inspector General, the Office of Management and Budget, the\nGovernment Accountability Office, and the U.S. Congress, and is not intended to be, and should not be,\nused by anyone other than these specified parties.\n\n\n\n\n                                 KPMG LLP, a U.S. limited liability partnership, is the U.S.\n                                 member firm of KPMG International, a Swiss cooperative.\n\x0c                                                                                                     Exhibit I\n\n                                      Financial Management Service\n                                       Treasury Managed Accounts\n\n                            Current Year Comments and Recommendations\n\n                                            September 30, 2008\n\n\n1. Miscalculation of a Foreign Currency Payment in the Judgment Fund, Contract Disputes\n   Accounts Receivable Balances\n\nDuring our testwork over 32 Contract Disputes Act (CDA) accounts receivable balances, we identified 1\nCDA accounts receivable balance where the amount certified for disbursement from the Judgment Fund\nwas incorrect due to a miscalculation of the foreign currency conversion.\n\nWe noted the following causes of this miscalculation and resulting overpayment:\n\n    \xe2\x80\xa2   The Certifying Officer (CO) within the Judgment Fund Branch did not review the Judgment Fund\n        Internet Claims System (JFICS) Transfer Report prior to certifying the Voucher and Schedule of\n        Payment form, SF 1166a, because it was not provided with the SF 1166a.\n    \xe2\x80\xa2   Line 1 of the Judgment Fund Voucher for Payment (FMS Form 197) did not include the\n        disbursement amount in Euros; therefore, FMS should have requested a revised FMS Form 197\n        with the correct payment amount in Euros from the requesting agency.\n\nGAO Standards for Internal Control in the Federal Government states, \xe2\x80\x9cTransactions and other significant\nevents should be authorized and executed only by persons acting within the scope of their authority. This is\nthe principal means of assuring that only valid transactions to exchange, transfer, use, or commit resources\nand other events are initiated or entered.\xe2\x80\x9d\n\nTreasury Financial Manual Volume I, Part 6, Chapter 3100, section 3135, states, \xe2\x80\x9cFMS will return, without\naction, requests for certifications that do not contain all required documents, information or certifications.\xe2\x80\x9d\n\nFMS had initially overstated its Intra-governmental Accounts Receivable, Net balance, by $126,811 and\nhad not requested reimbursement of the $126,811 overpayment from the entity paid. However, the\nrequesting agency subsequently paid this accounts receivable amount to FMS in July 2008 for the full\namount of $387,671. Therefore, as of September 30, 2008, FMS had understated its With the Public,\nAccounts Receivable, Net balance; overstated its Non-Entity Costs \xe2\x80\x93 Judgments; overstated its Recoveries\nfrom Federal Agencies for Settlement of Claims from Contract Disputes; and understated Accounts\nPayable-Federal, all by $126,811.\n\nRecommendations:\n\nWe recommend:\n   1. FMS develop and implement procedures to have the Preparer/Data Entry Operator (DEO) review,\n       reconcile and sign off as evidence of their review of the Voucher and Schedule of Payment form,\n       SF1166a, and JFICS Transfer Report prior to the information being provided to the CO for\n       approval. In addition, the CO should review and reconcile both the SF 1166a and the JFICS\n       Transfer Report and document their review prior to certification of the payment.\n\n                                                      2\n\x0c                                                                                                Exhibit I\n\n                                    Financial Management Service\n                                     Treasury Managed Accounts\n\n                           Current Year Comments and Recommendations\n\n                                          September 30, 2008\n\n\n    2. FMS develop and implement procedures to have the Accountant responsible for recording the\n       CDA accounts receivable review the voucher package from the Judgment Fund Branch for\n       accuracy and completeness prior to recording the related accounts receivable in the general ledger.\n    3. FMS request reimbursement of the $126,811 overpayment from the entity paid.\n    4. FMS:\n           o Establish a With the Public, Accounts Receivable, and an Accounts Payable-Federal, both\n              for $126,811, and\n           o Reduce its Non-Entity Costs - Judgments, and Recoveries from Federal Agencies for\n              Settlement of Claims from Contract Disputes, both for $126,811.\n\nManagement\xe2\x80\x99s Response: Concur\n\nFMS will develop and implement procedures to have the Preparer/DEO review, reconcile and sign off as\nevidence of their review the Voucher and Schedule of Payment form, SF1166a. Due date: January 15,\n2009.\n\nFMS will develop and implement procedure to attach the JFICS Transfer Report for review by the\nCertifying Officer prior to approving the Voucher and Schedule of Payment, SF166a. Due date: January\n15, 2009.\n\nFMS will develop and implement procedure to have the Accountant responsible for recording the CDA\naccounts receivable review the voucher package from the Judgment Fund Branch for accuracy and\ncompleteness prior to recording the related accounts receivable in the general ledger. Due date: February\n15, 2009.\n\nWritten request will be made of the entity paid for return of funds by November 14, 2008. If funds are not\nreturned to FMS within 30 business days, FMS will send a follow up letter requesting return of the funds.\nFinally, if no payment or other response is received within the next 30 days, the outstanding debt will be\nreferred to the Treasury Offset Program (TOP).\n\nEstablish an accounts receivable of $126,811 with the Public by November 30, 2008.\n\n2. Non-Compliance with Billing Letter Requirements Contained in the Contract Disputes Act and No\n   FEAR Act\n\nDuring our testing of compliance with the Contract Dispute Act and No FEAR Act, KPMG noted the\nfollowing:\n    \xe2\x80\xa2   For 1 out of 32 CDA accounts receivable transactions, 15-day billing letters were not provided to\n        KPMG for testing.\n\n\n                                                    3\n\x0c                                                                                                   Exhibit I\n\n                                     Financial Management Service\n                                      Treasury Managed Accounts\n\n                            Current Year Comments and Recommendations\n\n                                           September 30, 2008\n\n\n    \xe2\x80\xa2   For 1 out of 32 CDA accounts receivable transactions, timeliness of 45-day letters could not be\n        determined because there was no initial letter within 15 days.\n    \xe2\x80\xa2   For 1 out of 32 CDA accounts receivable transactions, timeliness of 60-day letters could not be\n        determined because there was no initial letter within 15 days.\n    \xe2\x80\xa2   For 9 out of 32 CDA accounts receivable transactions, 15 day billing letters were late.\n    \xe2\x80\xa2   For 10 out of 32 CDA accounts receivable transactions, 45-day letters were not sent in a timely\n        manner.\n    \xe2\x80\xa2   For 19 out of 32 CDA accounts receivable transactions, 60-day letters were late.\n    \xe2\x80\xa2   For 1 out of 34 No FEAR accounts receivable transactions, 15-day billing letters did not have a\n        date.\n    \xe2\x80\xa2   For 14 out of 34 No FEAR account receivable transactions, 15 day billing letters were late.\n    \xe2\x80\xa2   1 out of 34 No FEAR accounts receivable transactions was recorded in FASDAS prior to\n        disbursement from the Judgment Fund.\nWe noted the following causes:\n\n    \xe2\x80\xa2   The Judgment Fund Branch procedures related to CDA and No FEAR do not document how the\n        timeliness of billing letters is to be monitored and there is no requirement for a supervisory review\n        to be performed to ensure compliance with CDA and No FEAR billing letter requirements.\n    \xe2\x80\xa2   FMS has no written procedures in place to require a review over the recording of No FEAR\n        Accounts Receivable to ensure appropriate dates are utilized for the recording of accounts\n        receivable.\n\nFMS is not in compliance with the following:\n\nContract Disputes Act\n   \xe2\x80\xa2 Treasury Financial Manual Volume I, Part 6 Chapter 3100, section 3150.10, states, \xe2\x80\x9cFMS will\n       make demands for the reimbursement in writing to the debtor agency 15 days from the date of\n       payment to the claimant. If the responsible agency fails to contact FMS within 30 days of initial\n       contact letter, FMS will send a follow up letter to the responsible agency [45-day billing letter]. If\n       the agency fails to respond within 60 days of the initial contact, FMS will send a letter to the\n       responsible agency\xe2\x80\x99s Chief Financial Officer CFO [60-day letter].\xe2\x80\x9d\n\nNo FEAR Act\n   \xe2\x80\xa2 5 CFR 724.104 states:\n     \xe2\x80\x9c\xc2\xa7 724.104 Procedures\n       (a) The procedures that agencies must use to reimburse the Judgment Fund are those prescribed by\n                                                     4\n\x0c                                                                                                   Exhibit I\n\n                                     Financial Management Service\n                                      Treasury Managed Accounts\n\n                            Current Year Comments and Recommendations\n\n                                           September 30, 2008\n\n\n        the Financial Management Service (FMS), the Department of the Treasury, in Chapter 3100 of the\n        Treasury Financial Manual. All reimbursements to the Judgment Fund covered by the No FEAR\n        Act are expected to be fully collectible from the agency. FMS will provide written notice to the\n        agency's Chief Financial Officer within 15 business days after payment from the Judgment Fund.\n        (b) Within 45 business days of receiving the FMS notice, agencies must reimburse the Judgment\n        Fund or contact FMS to make arrangements in writing for reimbursement.\n    \xe2\x80\xa2   Treasury Financial Manual Volume I, Part 6 Chapter 3100, section 3150.30, states, \xe2\x80\x9cFMS must\n        report all receivables arising from certification of Fund Payments.\xe2\x80\x9d\n\nIn addition, by FMS not sending the notifications on a timely basis, the related timeliness of\nreimbursements from the agencies may be effected. Lastly, recording No FEAR accounts receivable\ntransactions prior to the related disbursement from the Judgment Fund may misstate TMA accounts\nreceivable.\n\nRecommendations:\n\nWe recommend:\n   1. FMS develop and implement procedures for the Judgment Fund Branch related to CDA and No\n       FEAR to require the monitoring of the timeliness of billing letters, and to require a supervisory\n       review be performed periodically to ensure compliance with CDA and No FEAR billing letter\n       requirements.\n   2. FMS develop and implement procedures to require the System Accountant responsible for\n       recording the CDA accounts receivable review the voucher package from the Judgment Fund\n       Branch for accuracy and completeness, ensuring that the disbursement had been made prior to\n       recording the related accounts receivable in the general ledger.\n\nManagement\xe2\x80\x99s Response: Concur\n\nFMS will develop and implement procedures for the Judgment Fund Branch related to CDA and No FEAR\nAct cases to require the monitoring of the timeliness of billing letters, and to require a supervisory review\nbe performed periodically to ensure compliance with CDA and No FEAR billing letter requirements. Due\ndate: February 27, 2009\n\nFMS will develop and implement procedures to perform periodically a review and spot check to ensure\nappropriate dates are entered correctly for the computation of the accounts receivable dates. Due date:\nFebruary 27, 2009\n\n\n\n\n                                                     5\n\x0c                                                                                                Exhibit I\n\n                                    Financial Management Service\n                                     Treasury Managed Accounts\n\n                           Current Year Comments and Recommendations\n\n                                          September 30, 2008\n\n\n3. FASDAS AIX Operating System Password Age Not in Compliance with the AIX Security\n   Standards Manual\n\nThe password expiration settings for three (3) user accounts with remote access to the Financial\nAccounting and Services Division Accounting System (FASDAS) IBM Advanced Interactive Executive\n(AIX) operating system have not been configured in accordance with the FMS AIX Security Standards\nManual. Specifically, in the IBM AIX operating system, the MAXAGE parameter is the maximum number\nof weeks that can pass before a password must be changed. The MAXEXPIRED parameter is the\nmaximum number of weeks beyond MAXAGE that a password can be changed before administrative\naction is required to change the password. When combined, these parameters determine a user account\xe2\x80\x99s\npassword age. For the aforementioned three user accounts, the MAXAGE and MAXEXPIRED parameters\nhave been set to ************, respectively. This created a maximum password age of **************\n****, which is ****** longer then what the AIX Security Standard Manual requires. According to FMS\nmanagement, due to an oversight in the implementation of the updated AIX Security Standards, the\nMAXAGE and MAXEXPIRED parameters were incorrectly configured for these three (3) user accounts.\n\nThe AIX Security Standards Version 3.2, effective 2/19/08, requires the MAXAGE parameter to be set to\n******** and the MAXEXPIRED parameter to be set to ***********, for a maximum password age\ntotaling *******, or *******. In addition, the FMS IT Security Standards Manual requires passwords to be\nchanged every 90 days. User accounts with passwords that do not expire in a timely manner could be\nexposed to greater misuse and abuse than accounts with passwords changed in a more frequent manner.\n[*- information REDACTED - FOIA EXEMPTION 2, 5 U.S.C. \xc2\xa7552(b)(2)]\n\nRecommendation:\n\nWe recommend FMS management configure the MAXAGE and MAXEXPIRED parameters of the three\n(3) accounts identified to be in accordance with the requirements outlined in the FMS AIX Security\nStandards Manual.\n\nManagement\xe2\x80\x99s Response: Concur\n\nFMS completed correct configuration of the MAXAGE and MAXEXPIRED parameters for the three (3)\naccounts identified.\n\nAdditionally, we are implementing a new user provisioning tool that ensures users are provisioned with the\nrequirements outlined in the FMS AIX Standards document.\n\n\n\n\n                                                    6\n\x0c                                                                          Exhibit II\n\n                           Financial Management Service\n                            Treasury Managed Accounts\n\n                             Status of Prior Year\n                         Comments and Recommendations\n\n                                September 30, 2008\n\n\n\n  FMS                                                           Action        Action in\nFinding#                        Findings                       Complete       Progress\n   1       The FASDAS UNIX password setting is not in             X\n           compliance with FMS IT Security or AIX standards.\n\n\n\n\n                                        7\n\x0c"